QR codes: Quishing, risks and tips to stay safe

We’ve all come to accept and trust QR codes, but how safe are they? Here’s what you need to be aware of.

QR codes, short for Quick Response code, are a scannable tool that a camera on your smartphone can quickly process to read information. We use them at restaurants to view the menu, we scan them to authenticate an online account, to download apps, to access customer support or to pay for parking. Presented as an array of black and white squares or pixels set in a grid, a QR code is similar to a barcode in that it stores encoded information. 

When scanned, the information is decoded, allowing the data to be accessed in its original form. Most QR codes are designed simply to transmit URLs and as such, using a QR code is similar to typing a web address into your browser, only faster and more convenient. But are QR codes safe?

QR codes can be vulnerable tools

While QR codes aren’t inherently dangerous, they’re easy to make and therefore easy for criminals and scammers to manipulate. Since mid-2023 there has been a rise in the number of phishing campaigns utilizing QR codes, which is referred to as QR code phishing or quishing. Quishing often involves sending an urgent or threatening email with a QR code embedded that directs users to malicious websites. These websites typically spoof legitimate company websites and then ask users to input private information like log-in credentials, banking information, or credit card details. They can also infect your devices with malware (a.k.a a virus) that is capable of monitoring your online activities and locking access to your files.

Learning the risks

By scanning a QR code, you could be susceptible to the following risks:

  • Tracking your online activity on websites using cookies. Your data can be collected and used for marketing purposes without your consent.
  • Collecting metadata associated with you, such as the type of device you used to scan the code, your IP address, location and the information you enter while on the site.
  • Exposing financial data, such as your credit card number, if you used it to purchase goods or services while on the website.

For a real world example, the police department in Austin, Texas reported finding 29 fraudulent QR codes tacked onto the city’s parking meters. When unsuspecting victims scanned the QR code, they were sent to an official-looking payment page to pay for parking. But when they entered their credit card information, it was sent to scammers who could then use it to make fraudulent purchases. 

Being QR code savvy

While the majority of QR codes are perfectly safe, you shouldn’t trust every QR code you see. In fact, the information security industry warns against scanning QR codes where one is not absolutely sure it has not been tampered with, not been created by scammers, or not redirecting to a malicious site. Here are a few tips for keeping your information safe:

  1. Be careful of codes posted publicly or sent to you via email, and always look at the link’s URL before clicking it, making sure it points to the website you’re expecting it to.
  2. Don't use a third-party, QR code scanning app, even if it can be found on a reputable app store. Instead, use an app that came preloaded on your device, like the built-in QR scanners that are part of almost every smartphone camera. These scanners display the site link before opening it, allowing you to first verify it before it opens and close it if it doesn't match what you're expecting.
  3. Review the preview of the QR code’s URL destination before opening it. Make sure the website uses HTTPS, doesn’t have any misspellings, and confirm the domain name in a separate browser.
  4. If you receive a QR code from a trusted source via email, confirm separately with a phone call or text message that it’s legitimate.
  5. Be extra wary if a QR code takes you to a site that requests payment or personal information.
  6. If you create QR codes for others to use, include the URL (website address) underneath the image, to let users know where it should go.

Check out more tips for keeping your information secure on the University of Alberta’s Chief Information Security Officer website.


Sources:

https://www.cyber.gc.ca/en/guidance/security-considerations-qr-codes-itsap00141
https://www.avast.com/c-what-is-qr-code-how-to-scan#:~:text=A%20QR%20code%20
https://www.ualberta.ca/toolkit/digital-and-creative/vanity-urls.html
https://www.mcgill.ca/cybersafe/article/qr-codes-use-your-own-risk
https://www.zdnet.com/article/quishing-is-the-new-phishing-what-you-need-to-know/ https://www.locknetmanagedit.com/blog/qr-code-phishing-scams